Hi Danielle,

I think you could recreate the entry. The information can be found in "o=ipaca" 
database.

ldapsearch -D "cn=directory manager" -W -b 
"ou=certificateRepository,ou=ca,o=ipaca" "(subjectname=CN=Certificate 
Authority,o=example.test)" usercertificate

(remember that in RHEL6 you will need to query instance in 7389 port, that is 
to say, add "-p 7389 -h localhost" to the ldapsearch command).

And recreate your entry with this information:

========================================================

dn: cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: pkiCA
objectClass: top
cn: CAcert
cACertificate;binary: <value found in the former command, in the 
usercertificate attribute>

========================================================

Another possibility. If this deleted entry has not been purged, you could find 
still the information as a tomsbtone. And then, re-create the entry with the 
information in the tombstone:

ldapsearch -D "cn=directory manager" -W -b "dc=example,dc=test" 
"(&(objectclass=nstombstone)(cn=CAcert))"

you will see an entry with a dn of this sort:

dn: 
nsuniqueid=f3b4a182-ae3111e5-a3a1dc9f-3b3599c3,cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test

And you could add a new entry (shown before) with the exact information found 
in the tombstone, changing the dn by the right one, of course.

Regards,

German.


----- Original Message -----
> From: "Danielle M Witherspoon" <dmwit...@us.ibm.com>
> To: freeipa-users@redhat.com
> Sent: Wednesday, December 23, 2015 8:08:20 PM
> Subject: [Freeipa-users] (no subject)
> 
> 
> 
> Hello everyone,
> 
> We've run into an issue with our instance of IPA. Our LDAP certificate was
> deleted with the command "ldapdelete -Y GSSAPI
> "cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test"". When we now attempt to enroll
> servers as IPA clients, we get the following (sanitized for this email)
> output:
> 
> 
> [root@server1 ~]# ipa-client-install –enable-dns-updates
> Discovery was successful!
> Hostname: server1.SERVER.local
> Realm: SERVER.LOCAL
> DNS Domain: SERVER.local
> IPA Server: ipaserver1.SERVER.local
> BaseDN: dc=server dc=local
> 
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: bob
> Synchronizing time with KDC...
> Password for bob@SERVER.LOCAL:
> Cannot obtain CA certificate
> 'ldap://ipaserver1.SERVER.local' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> Advice on how to remediate this issue would be welcomed with open arms.
> 
> Thank you for your time,
> Danielle Witherspoon
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to